npm - @sandrinio/vbounce - Versions diffs - 1.0.0 - Mend

@sandrinio/vbounce 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (95) hide show

package/skills/react-best-practices/rules/server-after-nonblocking.md ADDED Viewed

@@ -0,0 +1,73 @@
+---
+title: Use after() for Non-Blocking Operations
+impact: MEDIUM
+impactDescription: faster response times
+tags: server, async, logging, analytics, side-effects
+---
+## Use after() for Non-Blocking Operations
+Use Next.js's `after()` to schedule work that should execute after a response is sent. This prevents logging, analytics, and other side effects from blocking the response.
+**Incorrect (blocks response):**
+```tsx
+import { logUserAction } from '@/app/utils'
+export async function POST(request: Request) {
+  // Perform mutation
+  await updateDatabase(request)
+  // Logging blocks the response
+  const userAgent = request.headers.get('user-agent') || 'unknown'
+  await logUserAction({ userAgent })
+  return new Response(JSON.stringify({ status: 'success' }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' }
+  })
+}
+```
+**Correct (non-blocking):**
+```tsx
+import { after } from 'next/server'
+import { headers, cookies } from 'next/headers'
+import { logUserAction } from '@/app/utils'
+export async function POST(request: Request) {
+  // Perform mutation
+  await updateDatabase(request)
+  // Log after response is sent
+  after(async () => {
+    const userAgent = (await headers()).get('user-agent') || 'unknown'
+    const sessionCookie = (await cookies()).get('session-id')?.value || 'anonymous'
+    logUserAction({ sessionCookie, userAgent })
+  })
+  return new Response(JSON.stringify({ status: 'success' }), {
+    status: 200,
+    headers: { 'Content-Type': 'application/json' }
+  })
+}
+```
+The response is sent immediately while logging happens in the background.
+**Common use cases:**
+- Analytics tracking
+- Audit logging
+- Sending notifications
+- Cache invalidation
+- Cleanup tasks
+**Important notes:**
+- `after()` runs even if the response fails or redirects
+- Works in Server Actions, Route Handlers, and Server Components
+Reference: [https://nextjs.org/docs/app/api-reference/functions/after](https://nextjs.org/docs/app/api-reference/functions/after)

package/skills/react-best-practices/rules/server-auth-actions.md ADDED Viewed

@@ -0,0 +1,96 @@
+---
+title: Authenticate Server Actions Like API Routes
+impact: CRITICAL
+impactDescription: prevents unauthorized access to server mutations
+tags: server, server-actions, authentication, security, authorization
+---
+## Authenticate Server Actions Like API Routes
+**Impact: CRITICAL (prevents unauthorized access to server mutations)**
+Server Actions (functions with `"use server"`) are exposed as public endpoints, just like API routes. Always verify authentication and authorization **inside** each Server Action—do not rely solely on middleware, layout guards, or page-level checks, as Server Actions can be invoked directly.
+Next.js documentation explicitly states: "Treat Server Actions with the same security considerations as public-facing API endpoints, and verify if the user is allowed to perform a mutation."
+**Incorrect (no authentication check):**
+```typescript
+'use server'
+export async function deleteUser(userId: string) {
+  // Anyone can call this! No auth check
+  await db.user.delete({ where: { id: userId } })
+  return { success: true }
+}
+```
+**Correct (authentication inside the action):**
+```typescript
+'use server'
+import { verifySession } from '@/lib/auth'
+import { unauthorized } from '@/lib/errors'
+export async function deleteUser(userId: string) {
+  // Always check auth inside the action
+  const session = await verifySession()
+  if (!session) {
+    throw unauthorized('Must be logged in')
+  }
+  // Check authorization too
+  if (session.user.role !== 'admin' && session.user.id !== userId) {
+    throw unauthorized('Cannot delete other users')
+  }
+  await db.user.delete({ where: { id: userId } })
+  return { success: true }
+}
+```
+**With input validation:**
+```typescript
+'use server'
+import { verifySession } from '@/lib/auth'
+import { z } from 'zod'
+const updateProfileSchema = z.object({
+  userId: z.string().uuid(),
+  name: z.string().min(1).max(100),
+  email: z.string().email()
+})
+export async function updateProfile(data: unknown) {
+  // Validate input first
+  const validated = updateProfileSchema.parse(data)
+  // Then authenticate
+  const session = await verifySession()
+  if (!session) {
+    throw new Error('Unauthorized')
+  }
+  // Then authorize
+  if (session.user.id !== validated.userId) {
+    throw new Error('Can only update own profile')
+  }
+  // Finally perform the mutation
+  await db.user.update({
+    where: { id: validated.userId },
+    data: {
+      name: validated.name,
+      email: validated.email
+    }
+  })
+  return { success: true }
+}
+```
+Reference: [https://nextjs.org/docs/app/guides/authentication](https://nextjs.org/docs/app/guides/authentication)

package/skills/react-best-practices/rules/server-cache-lru.md ADDED Viewed

@@ -0,0 +1,41 @@
+---
+title: Cross-Request LRU Caching
+impact: HIGH
+impactDescription: caches across requests
+tags: server, cache, lru, cross-request
+---
+## Cross-Request LRU Caching
+`React.cache()` only works within one request. For data shared across sequential requests (user clicks button A then button B), use an LRU cache.
+**Implementation:**
+```typescript
+import { LRUCache } from 'lru-cache'
+const cache = new LRUCache<string, any>({
+  max: 1000,
+  ttl: 5 * 60 * 1000  // 5 minutes
+})
+export async function getUser(id: string) {
+  const cached = cache.get(id)
+  if (cached) return cached
+  const user = await db.user.findUnique({ where: { id } })
+  cache.set(id, user)
+  return user
+}
+// Request 1: DB query, result cached
+// Request 2: cache hit, no DB query
+```
+Use when sequential user actions hit multiple endpoints needing the same data within seconds.
+**With Vercel's [Fluid Compute](https://vercel.com/docs/fluid-compute):** LRU caching is especially effective because multiple concurrent requests can share the same function instance and cache. This means the cache persists across requests without needing external storage like Redis.
+**In traditional serverless:** Each invocation runs in isolation, so consider Redis for cross-process caching.
+Reference: [https://github.com/isaacs/node-lru-cache](https://github.com/isaacs/node-lru-cache)

package/skills/react-best-practices/rules/server-cache-react.md ADDED Viewed

@@ -0,0 +1,76 @@
+---
+title: Per-Request Deduplication with React.cache()
+impact: MEDIUM
+impactDescription: deduplicates within request
+tags: server, cache, react-cache, deduplication
+---
+## Per-Request Deduplication with React.cache()
+Use `React.cache()` for server-side request deduplication. Authentication and database queries benefit most.
+**Usage:**
+```typescript
+import { cache } from 'react'
+export const getCurrentUser = cache(async () => {
+  const session = await auth()
+  if (!session?.user?.id) return null
+  return await db.user.findUnique({
+    where: { id: session.user.id }
+  })
+})
+```
+Within a single request, multiple calls to `getCurrentUser()` execute the query only once.
+**Avoid inline objects as arguments:**
+`React.cache()` uses shallow equality (`Object.is`) to determine cache hits. Inline objects create new references each call, preventing cache hits.
+**Incorrect (always cache miss):**
+```typescript
+const getUser = cache(async (params: { uid: number }) => {
+  return await db.user.findUnique({ where: { id: params.uid } })
+})
+// Each call creates new object, never hits cache
+getUser({ uid: 1 })
+getUser({ uid: 1 })  // Cache miss, runs query again
+```
+**Correct (cache hit):**
+```typescript
+const getUser = cache(async (uid: number) => {
+  return await db.user.findUnique({ where: { id: uid } })
+})
+// Primitive args use value equality
+getUser(1)
+getUser(1)  // Cache hit, returns cached result
+```
+If you must pass objects, pass the same reference:
+```typescript
+const params = { uid: 1 }
+getUser(params)  // Query runs
+getUser(params)  // Cache hit (same reference)
+```
+**Next.js-Specific Note:**
+In Next.js, the `fetch` API is automatically extended with request memoization. Requests with the same URL and options are automatically deduplicated within a single request, so you don't need `React.cache()` for `fetch` calls. However, `React.cache()` is still essential for other async tasks:
+- Database queries (Prisma, Drizzle, etc.)
+- Heavy computations
+- Authentication checks
+- File system operations
+- Any non-fetch async work
+Use `React.cache()` to deduplicate these operations across your component tree.
+Reference: [React.cache documentation](https://react.dev/reference/react/cache)

package/skills/react-best-practices/rules/server-dedup-props.md ADDED Viewed

@@ -0,0 +1,65 @@
+---
+title: Avoid Duplicate Serialization in RSC Props
+impact: LOW
+impactDescription: reduces network payload by avoiding duplicate serialization
+tags: server, rsc, serialization, props, client-components
+---
+## Avoid Duplicate Serialization in RSC Props
+**Impact: LOW (reduces network payload by avoiding duplicate serialization)**
+RSC→client serialization deduplicates by object reference, not value. Same reference = serialized once; new reference = serialized again. Do transformations (`.toSorted()`, `.filter()`, `.map()`) in client, not server.
+**Incorrect (duplicates array):**
+```tsx
+// RSC: sends 6 strings (2 arrays × 3 items)
+<ClientList usernames={usernames} usernamesOrdered={usernames.toSorted()} />
+```
+**Correct (sends 3 strings):**
+```tsx
+// RSC: send once
+<ClientList usernames={usernames} />
+// Client: transform there
+'use client'
+const sorted = useMemo(() => [...usernames].sort(), [usernames])
+```
+**Nested deduplication behavior:**
+Deduplication works recursively. Impact varies by data type:
+- `string[]`, `number[]`, `boolean[]`: **HIGH impact** - array + all primitives fully duplicated
+- `object[]`: **LOW impact** - array duplicated, but nested objects deduplicated by reference
+```tsx
+// string[] - duplicates everything
+usernames={['a','b']} sorted={usernames.toSorted()} // sends 4 strings
+// object[] - duplicates array structure only
+users={[{id:1},{id:2}]} sorted={users.toSorted()} // sends 2 arrays + 2 unique objects (not 4)
+```
+**Operations breaking deduplication (create new references):**
+- Arrays: `.toSorted()`, `.filter()`, `.map()`, `.slice()`, `[...arr]`
+- Objects: `{...obj}`, `Object.assign()`, `structuredClone()`, `JSON.parse(JSON.stringify())`
+**More examples:**
+```tsx
+// ❌ Bad
+<C users={users} active={users.filter(u => u.active)} />
+<C product={product} productName={product.name} />
+// ✅ Good
+<C users={users} />
+<C product={product} />
+// Do filtering/destructuring in client
+```
+**Exception:** Pass derived data when transformation is expensive or client doesn't need original.

package/skills/react-best-practices/rules/server-parallel-fetching.md ADDED Viewed

@@ -0,0 +1,83 @@
+---
+title: Parallel Data Fetching with Component Composition
+impact: CRITICAL
+impactDescription: eliminates server-side waterfalls
+tags: server, rsc, parallel-fetching, composition
+---
+## Parallel Data Fetching with Component Composition
+React Server Components execute sequentially within a tree. Restructure with composition to parallelize data fetching.
+**Incorrect (Sidebar waits for Page's fetch to complete):**
+```tsx
+export default async function Page() {
+  const header = await fetchHeader()
+  return (
+    <div>
+      <div>{header}</div>
+      <Sidebar />
+    </div>
+  )
+}
+async function Sidebar() {
+  const items = await fetchSidebarItems()
+  return <nav>{items.map(renderItem)}</nav>
+}
+```
+**Correct (both fetch simultaneously):**
+```tsx
+async function Header() {
+  const data = await fetchHeader()
+  return <div>{data}</div>
+}
+async function Sidebar() {
+  const items = await fetchSidebarItems()
+  return <nav>{items.map(renderItem)}</nav>
+}
+export default function Page() {
+  return (
+    <div>
+      <Header />
+      <Sidebar />
+    </div>
+  )
+}
+```
+**Alternative with children prop:**
+```tsx
+async function Header() {
+  const data = await fetchHeader()
+  return <div>{data}</div>
+}
+async function Sidebar() {
+  const items = await fetchSidebarItems()
+  return <nav>{items.map(renderItem)}</nav>
+}
+function Layout({ children }: { children: ReactNode }) {
+  return (
+    <div>
+      <Header />
+      {children}
+    </div>
+  )
+}
+export default function Page() {
+  return (
+    <Layout>
+      <Sidebar />
+    </Layout>
+  )
+}
+```

package/skills/react-best-practices/rules/server-serialization.md ADDED Viewed

@@ -0,0 +1,38 @@
+---
+title: Minimize Serialization at RSC Boundaries
+impact: HIGH
+impactDescription: reduces data transfer size
+tags: server, rsc, serialization, props
+---
+## Minimize Serialization at RSC Boundaries
+The React Server/Client boundary serializes all object properties into strings and embeds them in the HTML response and subsequent RSC requests. This serialized data directly impacts page weight and load time, so **size matters a lot**. Only pass fields that the client actually uses.
+**Incorrect (serializes all 50 fields):**
+```tsx
+async function Page() {
+  const user = await fetchUser()  // 50 fields
+  return <Profile user={user} />
+}
+'use client'
+function Profile({ user }: { user: User }) {
+  return <div>{user.name}</div>  // uses 1 field
+}
+```
+**Correct (serializes only 1 field):**
+```tsx
+async function Page() {
+  const user = await fetchUser()
+  return <Profile name={user.name} />
+}
+'use client'
+function Profile({ name }: { name: string }) {
+  return <div>{name}</div>
+}
+```

package/skills/vibe-code-review/SKILL.md ADDED Viewed

@@ -0,0 +1,70 @@
+---
+name: vibe-code-review
+description: "A code quality and architecture review skill designed for AI-generated (vibe-coded) codebases. Use this skill whenever the user asks to review, audit, analyze, or assess code quality of a project — especially one built with AI agents. Trigger on phrases like 'review my code', 'check code quality', 'is my architecture solid', 'run a health check', 'audit my codebase', 'check for tech debt', 'analyze my project', or any mention of code review for vibe-coded or agent-generated projects. Also trigger when the user asks about architectural consistency, error handling quality, duplication, coupling, dependency health, or test quality. This skill runs in phases — from quick PR-level diffs to full codebase scans — and produces structured reports a non-coder can understand."
+---
+# Vibe Code Review Skill
+## Purpose
+This skill reviews AI-generated codebases for structural integrity without requiring the user to read code. It shifts the review model from "read every line" to "validate the architecture" — like a building inspector checking foundation, load-bearing walls, and plumbing rather than every brick.
+## When to Use
+- User asks to review or audit code quality
+- User wants to know if their vibe-coded project is architecturally sound
+- User wants a health check on a codebase they didn't write themselves
+- User asks about tech debt, coupling, duplication, or error handling
+- User wants a PR or git diff analyzed before merging
+- User wants to compare code quality over time
+## How It Works
+The skill operates in **four review modes** depending on what the user needs. Always ask which mode they want, or infer from context. Read the appropriate reference file before executing.
+| Mode | When to Use | Reference |
+|------|-------------|-----------|
+| **Quick Scan** | Fast health check of the whole project | `references/quick-scan.md` |
+| **PR Review** | Analyze a git diff or set of changed files | `references/pr-review.md` |
+| **Deep Audit** | Comprehensive full-codebase analysis | `references/deep-audit.md` |
+| **Trend Check** | Compare metrics over time | `references/trend-check.md` |
+## Workflow
+1. **Identify the mode** — Ask the user or infer from their request
+2. **Read the reference file** for that mode — it contains the exact checks and scripts to run
+3. **Detect the tech stack** — Look at package.json, requirements.txt, go.mod, Cargo.toml, etc. to determine language and framework
+4. **Run the checks** — Execute the scripts and analysis steps from the reference file
+5. **Generate the report** — Use the report template from `references/report-template.md`
+6. **Explain in plain language** — The user may not read code. Every finding needs a "what this means" explanation using real-world analogies
+## Core Principles
+These six dimensions form the backbone of every review, regardless of mode:
+1. **Architectural Consistency** — Is the codebase using one pattern or five? AI agents mix MVC, event-driven, and procedural styles. Map the patterns in use and flag conflicts.
+2. **Error Handling** — What happens when things fail? AI-generated code handles happy paths beautifully and ignores edge cases. Look for empty catch blocks, swallowed errors, missing validation, and absent retry logic.
+3. **Data Flow** — Can you trace how data moves from input to storage to output? If the data flow is untraceable, security vulnerabilities are hiding. Flag any data path that can't be followed in under 2 minutes.
+4. **Duplication** — AI agents reinvent solutions constantly. The same utility function appears in three files with slightly different implementations. Detect near-duplicates, not just exact copies.
+5. **Test Quality** — Coverage percentages are meaningless if tests don't catch real bugs. Assess whether tests would actually break if logic changed. When possible, suggest mutation testing.
+6. **Coupling** — How tangled are the modules? Can you change one component without breaking five others? This is the most important long-term sustainability metric. Visualize the dependency graph.
+## Non-Coder-Friendly Explanations
+Every finding in the report must include a plain-language analogy. The user orchestrates AI agents — they understand systems thinking, but not code syntax. Use analogies like:
+- **High coupling** → "Pulling one wire in the wall takes down the whole electrical system"
+- **Empty catch blocks** → "Your smoke detectors have dead batteries — fires happen silently"
+- **Duplication** → "Three different departments each built their own payroll system"
+- **Architectural inconsistency** → "Half the building uses metric, half uses imperial"
+- **Dead code** → "Rooms in the house that no hallway leads to"
+- **Dependency bloat** → "You hired 50 subcontractors for a 3-person job"
+## Keywords
+code review, code quality, architecture review, tech debt, vibe coding, AI-generated code, agent code, health check, audit, duplication, coupling, error handling, dependency check, PR review, git diff analysis, codebase scan